We are implementing two Cisco Expressways for Jabber. Our DMZ zone is fronted by the BigIP F5 LTM. Instead of creating another DMZ zone just for Jabber, we would like to put the external Expressways behind the F5 (not for load balancing) instead. Is this possible? Has anyone done this successfully and can you share your experience and setup? Appreciate any comments or suggestions. Thank you.
Thanks for the quick reply, Nithin. But I don't want to create a firewall policy that indicates an outside to inside zone traffic. I'm trying to avoid creating a second DMZ zone, but I guess I will have to.
You should put the Expressway-E in a DMZ and then put the Expressway-C on the internal network. This would not be any different if you were to use F5, the network topology for an Expressway deployment stays the same. To allow traffic to your E(s) to reach the C(s) you’ll need to have a few different rules created in your firewall(s). You’ll need internet to E (external interface), E (external interface) to internet, C to E (internal interface) and management traffic to E (internal interface). If you’re using internal resources for DNS, NTP, syslog and so on you’ll need to allow the E to reach those as well.
We use F5 for this. It fronts our MRA systems, but aren’t in the actual traffic path, and does geoDNS for the connecting client and keeps track of the status of each E we have so that it doesn’t direct traffic to an Expressway-E that is unavailable. This works perfectly fine for our system landscape.